diskimage-builder/diskimage_builder/elements/debian-minimal
Steve Baker 27a326dafb Support secure-boot bootloader where possible
As of grub2 >= 2.02-95 on redhat family distros, calling grub2-install
on an EFI partition will fail with: "this utility cannot be used for
EFI platforms because it does not support UEFI Secure Boot."

This version of grub is now in centos8-stream and non-eus repos of
RHEL-8. It is not currently possible to build whole-disk UEFI images
on these distros, and when this package is promoted this will also
affect centos8 and RHEL-8 eus. The grub maintainers made this change
because the grub2-install generated /boot/efi/EFI/BOOT/BOOTX64.EFI
will never be capable of booting with Secure Boot.

This change defines a $EFI_BOOT_DIR for every distro element. When
directory /boot/efi/$EFI_BOOT_DIR exists a grub.cfg file in will be
generated there. This change also installs the shim package on redhat
family distros, which installs a copy of the shim bootloader to
/boot/efi/EFI/BOOT/BOOTX64.EFI. Using centos as an example, this
allows UEFI to boot the shim /boot/efi/EFI/BOOT/BOOTX64.EFI which
then chains to /boot/efi/EFI/centos/grubx64.efi.

If /boot/efi/$EFI_BOOT_DIR doesn't exist (such as for Ubuntu,
/boot/efi/EFI/ubuntu) the current behaviour of running grub-install to
generate /boot/efi/EFI/BOOT/BOOTX64.EFI will continue. For distros
such as Ubutnu where packaging does not populate /boot/efi/EFI/ubuntu
with .efi files, secure boot can be added in the future by copying
.efi files to /boot/efi/EFI/ubuntu and copying the shim file to
/boot/efi/EFI/BOOT/BOOTX64.EFI.

Change-Id: I90925218ff2aa4c4daffcf86e686b6d98d6b0f21
2021-03-11 10:27:59 +13:00
..
environment.d Support secure-boot bootloader where possible 2021-03-11 10:27:59 +13:00
root.d Deprecate dib-python; remove from in-tree elements 2020-08-07 10:38:16 +10:00
test-elements Add a test to validate we can build debian vms 2017-05-05 19:17:39 +02:00
element-deps Deprecate dib-python; remove from in-tree elements 2020-08-07 10:38:16 +10:00
element-provides Move elements & lib relative to diskimage_builder package 2016-11-01 17:27:41 -07:00
package-installs.yaml Add debian minimal requirement for arm64 2017-10-16 13:39:50 +08:00
README.rst Add security suite name override in debian-minimal 2019-10-15 21:20:02 +00:00

==============
debian-minimal
==============

The ``debian-minimal`` element uses debootstrap for generating a
minimal image.

By default this element creates the latest stable release.  The exact
setting can be found in the element's ``environment.d`` directory in
the variable ``DIB_RELEASE``.  If a different release of Debian should
be created, the variable ``DIB_RELEASE`` can be set appropriately.

Note that this element installs ``systemd-sysv`` as the init system

The element obeys the ``DIB_DISTRIBUTION_MIRROR`` argument for
mirroring (see ``debootsrap`` element documentation).  However, the
security repositories are separate for Debian, so we can not assume
they exist at ``DIB_DISTRIBUTION_MIRROR``.  If you do not wish to use
the upstream repository (from ``security.debian.org``) override it
with ``DIB_DEBIAN_SECURITY_MIRROR``. The security suite name's subpath
can also be overridden to something other than ``/updates`` with the
``DIB_DEBIAN_SECURITY_SUBPATH`` variable.

.. element_deps::